Openssl建立SSL雙向認證連線原始碼
(作者:陳波,2011-11-16,轉載請註明 Form:http://blog.csdn.net/jinhill/article/details/6979200)
#include "stdio.h"
#include "string.h"
#include "openssl/ssl.h"
#include "openssl/bio.h"
#include "openssl/err.h"
#pragma comment(lib, "WS2_32.lib")
#pragma comment(lib, "libeay32.lib")
#pragma comment(lib, "ssleay32.lib")
//獲取伺服器證書
int GetSrvCert(SSL * ssl, X509 ** pCert)
{
int rv = -1;
if(ssl == NULL)
{
return rv;
}
rv = SSL_get_verify_result(ssl);
*pCert = SSL_get_peer_certificate(ssl);
return rv;
}
//驗證證書的合法性
int VerifyCert(X509 * pCert, const char * hostname)
{
char commonName [512] = {0};
X509_NAME * name = NULL;
if(pCert == NULL || hostname == NULL)
{
return -1;
}
//獲取commonName
name = X509_get_subject_name(pCert);
X509_NAME_get_text_by_NID(name, NID_commonName, commonName, 512);
fprintf(stderr, "VerifyCert - Common Name on certificate: %s\n", commonName);
if(strcmp(commonName, hostname) == 0)
{
return 1;
}
else
{
return 0;
}
}
int main()
{
BIO *bio = NULL;
SSL *ssl = NULL;
SSL_CTX *ctx = NULL;
X509 *pCert = NULL;
int nRead = 0;
int nTotalLen = 0;
char szHttpReq[255] = "GET / HTTP/1.1\r\nHost: www.jinhill.com\r\nConnection: Close\r\n\r\n";
char szResp[1024] = {0};
//初始化SSL庫
SSL_library_init();
ERR_load_BIO_strings();
SSL_load_error_strings();
//新增SSL握手時所有支援的演算法
OpenSSL_add_all_algorithms();
//設定客戶端使用的SSL版本
SSL_METHOD* sslMethod = (SSL_METHOD*)SSLv3_client_method();
//建立SSL上下文環境 每個程序只需維護一個SSL_CTX結構體
ctx = SSL_CTX_new(sslMethod);
//載入受信任的根證書
if(! SSL_CTX_load_verify_locations(ctx, "JinhillRootCA.cer", NULL))
{
fprintf(stderr, "Error loading trust store\n");
ERR_print_errors_fp(stderr);
SSL_CTX_free(ctx);
return 0;
}
//設定證書密碼
SSL_CTX_set_default_passwd_cb_userdata(ctx, "1234");
//讀取證書檔案
SSL_CTX_use_certificate_file(ctx,"cb.crt",SSL_FILETYPE_PEM);
//讀取金鑰檔案
SSL_CTX_use_PrivateKey_file(ctx,"cb.key",SSL_FILETYPE_PEM);
//驗證金鑰是否與證書一致
SSL_CTX_check_private_key(ctx);
bio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(bio, &ssl);
//裝置SSL連線模式自動重試
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
//建議連線
BIO_set_conn_hostname(bio, "www.jinhill.com:443");
fprintf(stderr, "Connecting to host www.jinhill.com\n");
if(BIO_do_connect(bio) <= 0)
{
fprintf(stderr, "Error attempting to connect\n");
ERR_print_errors_fp(stderr);
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
fprintf(stderr, "Retrieving peer certificate\n");
//獲取伺服器證書
if(GetSrvCert(ssl, &pCert) != X509_V_OK)
{
fprintf(stderr, "Certificate verification error: %i\n", SSL_get_verify_result(ssl));
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
//校驗伺服器證書
fprintf(stderr, "Validating peer certificate\n");
if(! VerifyCert(pCert, "www.jinhill.com"))
{
fprintf(stderr, "Hostname and Common Name do not match\n");
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
//傳送HTTP請求
fprintf(stderr, "Sending szHttpReq\n");
BIO_write(bio, szHttpReq, strlen(szHttpReq));
//讀取HTTP響應
fprintf(stderr, "Reading response\n");
nTotalLen = 0;
while(1)
{
nRead = BIO_read(bio, szResp, 1024);
if(nRead <= 0)
{
break;
}
szResp[nRead] = 0;
nTotalLen += nRead;
printf("%s", szResp);
}
printf("\nTotal bytes read: %i\n", nTotalLen);
//關閉連線
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}